Administering AD LDS Service Publication

In Active Directory environments, service publication refers to the ability of a service to publish information about itself in the directory and to the ability of clients to discover that information and locate the service. When a computer on which Active Directory Lightweight Directory Services (AD LDS) is running and is joined to an Active Directory domain, AD LDS attempts to create service connection point (SCP) objects in Active Directory Domain Services (AD DS).

In Active Directory network environments, services can publish information about their existence using serviceConnectionPoint objects in the directory. These objects contain binding information that client applications use to find and connect to instances of the service. To access a service, a client does not have to know about specific computers; the objects in AD DS include this information.

When an AD LDS instance is running in an Active Directory environment, it makes a best-effort attempt to publish updated information about itself in AD DS. This attempt is a "best-effort" attempt because the attempt to create SCPs does not always succeed, and failure to create SCPs does not prevent the AD LDS instance from running or accepting client connections.

The attempt to create SCPs succeeds if:

The computer on which the AD LDS service is running and is joined to a domain, and

The AD LDS service account possesses Create Child rights on the computer object where the serviceConnectionPoint object is to be created.

By default, AD LDS runs as NetworkService, and the serviceConnectionPoint object is created under the computer object that represents the computer on which AD LDS is running. If the SCP object already exists, AD LDS updates the object with any new information about the AD LDS instance.

A serviceConnectionPoint object contains the information in the following table.

Globally unique identifier (GUID) of the NTDS Settings object under the computer object of the AD LDS instance

Site of the AD LDS instance

Instance name of the AD LDS instance

Operation master role (schema or naming), if held by the AD LDS instance

Distinguished name and GUID of the configuration directory partition of the AD LDS instance

Distinguished name and GUIDs of all application directory partitions on the AD LDS instance

serviceBindingInformation

LDAP connection point (in the form of ldap:\\ computername:ldapport)

Secure Sockets Layer (SSL) connection point (in the form of ldaps:\\ computername:sslport)

Note

The Keywords attribute is a multivalued attribute.

By default, the global catalog in AD DS contains the contents of the Keywords attribute of an SCP object. As a result, a client can locate an object on which an SCP is created, even if the object is located in a different domain than the client.

Client applications can find AD LDS instances by searching the SCP attributes that are contained in the global catalog. For information about performing this search programmatically, see How Clients Find and Use a Service Connection Point http://go.microsoft.com/fwlink/?linkid=15391. (Unlike the example shown at the Microsoft MSDN Web site, client applications need to perform only one search to retrieve the information necessary for AD LDS binding.) Client applications can search for the AD LDS object identifier, configuration partition GUID, AD LDS instance GUID, AD LDS instance name, or any directory partition. Client applications may also perform load balancing by selecting an AD LDS instance at random when a search returns more than one applicable AD LDS instance.

AD LDS does not require that SCPs be published to run successfully. AD LDS operates successfully with or without SCPs. Examples of environments without SCPs include workgroup environments and AD LDS instances that are running under service accounts that do not possess sufficient privileges to create SCPs. In these cases, client applications can rely on Domain Name System (DNS) to resolve the host name of a computer on which AD LDS is running. Note, however, that AD LDS instances, unlike domain controllers in Active Directory, do not create service (SRV) records in DNS.

By default in Active Directory environments, the AD LDS service creates SCPs in Active Directory Domain Services (AD DS) when the AD LDS service starts. To successfully create SCPs, the AD LDS service account must have sufficient rights in AD DS. If SCP creation fails, AD LDS writes an event to the AD LDS event log regarding the failure.

Additional Considerations

The default location for the AD LDS SCP object is under the computer object that represents the computer on which AD LDS is running. This default location can be altered by specifying a different location on the SCPPublishingService object.

When it is used as the AD LDS service account on a computer that is joined to a domain, the Network Service account usually has sufficient rights to create SCPs in AD DS. However, when it is used on an AD LDS instance that is running on a domain controller, the Network Service account does not have sufficient rights to create SCPs in AD DS.

An AD LDS instance deletes its SCP from AD DS when you remove the AD LDS instance from the computer. Removing the SCP requires sufficient administrative privileges. If SCP removal fails, client applications may be directed to a nonexistent AD LDS instance.

An AD LDS instance checks and updates, if necessary, its SCP each time the AD LDS instance starts. At startup, the AD LDS instance searches the global catalog for its own globally unique identifier (GUID) and retrieves the distinguished name of the SCP object. The AD LDS instance then binds to that distinguished name and updates the SCP object as necessary. In addition, the AD LDS instance reviews the SCP object on an hourly basis by default to confirm its validity, particularly regarding any directory partitions that have been added to or removed from the AD LDS instance since the SCP object was last updated.

Note

You can modify the default time interval at which AD LDS reviews the SCP object, by adding a value named Server information update interval (mins) to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\instancename\Parameters, and setting this value to the time interval (in minutes) that you want to use.

One efficient way to manage SCPs for AD LDS is to create an SCP container for your AD LDS configuration set in AD DS. In this container, place the computer objects of the computers on which AD LDS instances that are running. In addition, create a group called, for example, "AD LDS instances," and assign permissions on the SCP container to the group. Also, delegate control of the group to the assigned AD LDS administrator. Then, each time the AD LDS administrator installs a new AD LDS instance under a new service account, the AD LDS administrator can simply add the new service account to the "AD LDS instances" group, and the AD LDS instance creates and maintains its SCPs transparently.

SCP-related errors do not prevent an AD LDS instance from functioning properly. AD LDS does, however, report SCP-related errors in the AD LDS event log so that errors can be resolved. AD LDS reports SCP-related errors as follows:

When an SCP creation or update fails, the AD LDS instance reports the error and points to a .ldf file that can be used to manually resolve the problem. Using this .ldf file to create or update the SCPs requires administrator privileges in AD DS.

When AD LDS fails to remove an SCP object, AD LDS reports this failure both in the audit log of the appropriate domain controller and in the AD LDS event log.